Email security surveys love one number: SPF adoption. By that number, Europe looks done — of the 14.8 million mail-carrying, confirmed-active business domains we observe, 81.8% publish an SPF record. Compliance checklists get ticked. Deliverability consultants move on.
But an SPF record is a sentence, and the sentence has an ending. It either ends in -all —
"reject mail that fails" — or in ~all — "flag it, deliver it anyway, someone else's
problem." Measured on live DNS, only 29.3% of Europe's mail-carrying domains publish the reject
ending. 47.4% publish soft-fail: the spoofed mail still arrives, wearing a warning label most mail
clients never show.
Per market, the two numbers tell opposite stories. Italy is an adoption champion — 89.2% of mail-carrying domains publish SPF — but only 1 in 4 of those publishers enforce. Sweden publishes least (65.5%) but its publishers enforce at the highest rate on the continent: 3 in 5. Poland is the only market strong on both axes.
Soft-fail is the safe default of the entire onboarding chain. Hosting panels generate ~all
so a customer's newsletter never bounces during setup. Consultants recommend ~all "for the
transition" — and the transition never ends, because nothing breaks. That is exactly the problem:
a policy that never breaks anything also never blocks anything.
The countries that enforce are instructive. Poland's 53.8% and Sweden's publisher-enforcement rate (~60% of those who publish) don't come from stricter businesses — they come from national provider defaults and registrar practice. Email enforcement is an infrastructure-supply property before it is a customer-demand property. Which is also the commercial point: the operator who flips their default moves their whole book up this chart.
The receivers already flipped the switch. Since 2024, Google and Yahoo reject or junk bulk mail that fails authentication — the era of "flag it and deliver anyway" is ending on the receiving side regardless of what senders publish. A hosting book full of soft-fail customers is a book whose newsletters and invoices are drifting toward spam folders: deliverability incidents, support tickets, and churn that lands on the operator's P&L, not the customer's security budget.
Spoofing is the loss line, not the hypothetical. Business email compromise — the fraud that weak
enforcement invites — is consistently among the largest cyber-loss categories insurers pay out. A domain
publishing ~all is a domain any attacker can impersonate with mail that most receivers still
deliver. For insurers and lenders, the enforcement share of a book is an underwritable, portfolio-level
risk number; adoption percentages are not (everyone's is ~80%).
For hosting operators, this is a rare differentiator that isn't price. Enforcement is an infrastructure-supply property — the operator who ships reject-on-fail defaults plus DMARC setup and authentication monitoring moves the whole book up this chart, cuts their own deliverability support load, and sells protection into a base that increasingly has to buy it anyway. We benchmark posture per operator book, so the gap to peers is a number, not a pitch.
-all; soft-fail ~all = 47.4% of Europe's
mail-carrying domains. What this brief does NOT measure: DMARC. Our scanner currently reads apex
TXT only, so genuine DMARC adoption (_dmarc.<domain>) is not yet collected — we found
52,615 European domains with DMARC records misplaced at the apex (a misconfiguration tally, not adoption),
and we deliberately do not infer DMARC coverage from it. DMARC measurement is queued; this brief will be
updated when it lands. Domain-level, aggregate-only; per-operator posture lives in the product.Every figure here is queryable through the HostingBrain connector. In Claude or any MCP-compatible assistant, this is the whole brief in one prompt:
“Using HostingBrain, compare SPF adoption versus SPF hard-fail enforcement across European markets — Europe overall, then Poland, Italy, Sweden and Germany. Which markets publish but don't enforce?”
Resolves to email_security (free). See definitions('spf_posture').
Reproduce this analysis: the email_security
tool returns adoption, hard-fail and soft-fail shares for every market above — free tier. Per-operator
posture: email_security(operator=...) (Pro).
Ask the follow-up yourself. HostingBrain answers questions like this — with the date, denominator and caveats attached — inside Claude and any MCP-compatible assistant.